Target, Sony, Yahoo, Equifax, Uber. The names read like a rogues' gallery of big companies that have fallen victim to hacking or have misused their customers' data. Due to its abstract nature, data protection isn't something that gets many citizens worked up. But if data really is the new oil, then perhaps it is time that consumers get more concerned that their riches are being stolen from under their feet, or computer.
Enter the Eurocrats?
In Europe, the E.U. has stepped in with a law, the General Data Protection Regulation (GDPR), that is intended both to give control over data back to consumers, and align the various European data protection regimes in order to make life easier for business. Already in force, though not enforceable until May 2018, the GDPR creates significant new consumer rights, including the right to be notified of a breach, the right to access data, the right to data portability, and the right to be forgotten.
The regulation is a welcome harmonization for big, Europe-wide cloud providers who offer pan-EU services, but many companies, including within the Digital Finance and Commerce (DFC) space, are worried about how to remain compliant and to keep themselves out of trouble with national data regulators.
Who is covered by GDPR?
Companies that are:
- based in the EU, or
- handle the data of EU-based individuals, or
- in business with any organization that handles such data.
This piece of European legislation evidently casts a very wide net and has implications for companies located outside the European Union. In operational terms, the regulation creates the need for business processes that can proactively demonstrate compliance, rather than anticipating sporadic audits or periodic checks. For fintech companies, this boils down to essentially treating customers' data as being as precious as their money.
It is no longer good enough to catch breaches after they happen. Companies must now proactively try to ensure that they never happen in the first place and design systems and processes to that effect. Notably, to be fully compliant, they must be able to demonstrate that is the case through the embrace of the concept of 'Privacy by Design'.
A Bill of Consumer Data Rights
But if, or when, a breach occurs, an effective response and notification plan must exist: no more paying six-figure sums to hackers to keep the hack quiet. Instead, the supervisory authority must be informed within 72 hours of any breach, whether it be a hack or inappropriate use of consumer data within an organization or between organizations.
That is a steep change from the current average of an 11 day response time by large companies, and a world away from breaches that were only eventually revealed to the public months or even years after the event. So from here on out, impacted customers must be informed "without undue delays" of the breach, its likely outcomes and the remedial actions the company intends to perform.
Main Provisions of GDPR
- Breach Notification
- Right to Access
- Data Erasure
- Data Portability
- Privacy by Design
- Data Protection Officers
The practical effects of GDPR manifest themselves in small but significant ways. For example, contrary to the UK's Data Protection Act (which GDPR will replace upon enforceability in May 2018), opt-out consent will no longer be an acceptable means of obtaining data subject consent, and in certain instances there is a presumption that consent is not being freely given. Additionally, it must be as easy for consent to be withdrawn as it was to give it, and data subjects also have the right to have their data erased once consent is withdrawn.
So, at the most basic level, if an email subscriber decides to unsubscribe (having given explicit opt-in consent to receive emails), once they unsubscribe they are also revoking consent and their data must be erased by the data controller. Similarly, (as currently exists in Germany), opt-outs from targeted ads should also be available, meaning that, unless you want them to, adverts for orthopedic socks will no longer follow you around the internet because of that one time you accidentally clicked on an ad on a random website.
Hit Where It Hurts
The penalties for infraction are serious, and have the potential to run up over €20 million or 4% of annual worldwide turnover. But any business whose motivation in GDPR implementation is solely to avoid a fine is losing sight of the business opportunity that GDPR is creating. A recent global survey by McAfee of 800 senior business decision-makers in businesses with more than 500 employees from across eight countries found that more than two-thirds of respondents believed that GDPR would be a net positive for Europe, promoting investment and creating business opportunities through customer acquisition and retention.
Take for example Alibaba's co-location agreement with Vodafone. Although it clearly had significant attractions for Alibaba's cloud computing arm, Alibaba Cloud, the company's global GM pointed to Germany's stringent data security standards as an attractive feature of the chosen Frankfurt site.
Alibaba Cloud chose Germany as the home for our first data centre in Europe, for its highly developed technology infrastructure and location in the heart of Europe, to demonstrate our commitment to the highest standards in data security, and to reinforce our global expansion strategy.Ethan Yu, Vice President of Alibaba Group and General Manager of Alibaba Cloud Global
This is not to say, however, that there aren't (potentially significant) costs associated with the GDPR. Some estimates put the loss to the EU's GDP at €82bn and speculate that as many as 1.3mn jobs could be lost across Europe. This, however, is a gross figure, and does not take into account any gains that may be delivered by commercial advantages that can be delivered by a strong and robust European data protection regime. Indeed, there exist significant opportunities for RegTech businesses to step in to help large companies, particularly multinational corporations, deal with the demands of new and potentially competing data protection regimes.
Unlike in some other jurisdictions, small businesses are not given a blanket exemption from the GDPR and are likely to find the new compliance challenge harder. Many SMEs do not have the resources to outsource data management and lack technical capacity to properly handle and secure consumer data, though businesses with under 250 employees are exempted from some areas, such as record keeping and the obligation to hire a data protection officer. But let's not forget that these obligations apply to businesses that hold data on EU persons, no matter where they are located.
Eyes On The GDPR Ball
There is a sense that companies outside of the EU have been slow to recognize their obligations under GDPR, and even though the enforcability date is only 6 months away, it is not too late for organizations and their CIOs to get compliant, before it is too late. In particular, a data audit to identify data access and capture points is an urgent necessity, which must then be followed up by proactive efforts to gain data subject consent for the justified use of personal data, along with enhanced consent, with specifics, for data sharing. Even a relatively minor breach, or a failure to inform the regulator, could result in fines of up to 2% of turnover, and considerable reputational damage (just ask Uber).
The idea that data is the new oil is perhaps more revealing than those who conceived it intended. In the 1970s and 1980s, fear of reputational damage alone was not enough to ensure oil companies didn't allow massive leaks of their valuable resource, and it took greater regulation to reduce the number of oil spills. When it comes to data, the EU has brought a new sheriff to town, and DFC companies the world over need to be aware that this sheriff is going to chase thieves, leakers and polluters right across state lines. The era of cowboy businesses being cavalier with consumer ownership of their data is likely soon to be coming to an end.
Click here to subscribe and receive a weekly Mondato Insight direct to your inbox.